faculty of electrical engineering, technion dsn 2004 gal badishi exposing and eliminating...

Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion DSN 2004DSN 2004Gal BadishiGal Badishi

Exposing and Eliminating Exposing and Eliminating Vulnerabilities to Denial of Vulnerabilities to Denial of Service Attacks in SecureService Attacks in SecureGossip-Based MulticastGossip-Based Multicast

Exposing and Eliminating Exposing and Eliminating Vulnerabilities to Denial of Vulnerabilities to Denial of Service Attacks in SecureService Attacks in SecureGossip-Based MulticastGossip-Based Multicast

Gal Badishi, Idit Keidar, Amir Gal Badishi, Idit Keidar, Amir SassonSasson

Gal Badishi, Idit Keidar, Amir Gal Badishi, Idit Keidar, Amir SassonSasson

Gal BadishiGal Badishi Faculty of Electrical Engineering, TechnionFaculty of Electrical Engineering, Technion DSN 2004DSN 2004

OutlineOutlineOutlineOutline

• The problemThe problem

• Overview of gossip-based multicastOverview of gossip-based multicast

• Proposed solution - DrumProposed solution - Drum

• Analysis and simulationsAnalysis and simulations

• Implementation and measurementsImplementation and measurements

• Summary and general principlesSummary and general principles

• The problemThe problem

• Overview of gossip-based multicastOverview of gossip-based multicast

• Proposed solution - DrumProposed solution - Drum

• Analysis and simulationsAnalysis and simulations

• Implementation and measurementsImplementation and measurements

• Summary and general principlesSummary and general principles


Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)Denial of Service (DoS)

• Unavailability of serviceUnavailability of service– Exhausting resourcesExhausting resources

• Remote attacksRemote attacks– Network levelNetwork level

•Solutions do not solve all application Solutions do not solve all application problemsproblems

– Application levelApplication level•Got little attentionGot little attention•Quantitative analysis of impact on application Quantitative analysis of impact on application

and identification of vulnerabilities neededand identification of vulnerabilities needed

• Unavailability of serviceUnavailability of service– Exhausting resourcesExhausting resources

• Remote attacksRemote attacks– Network levelNetwork level

•Solutions do not solve all application Solutions do not solve all application problemsproblems

– Application levelApplication level•Got little attentionGot little attention•Quantitative analysis of impact on application Quantitative analysis of impact on application

and identification of vulnerabilities neededand identification of vulnerabilities needed


ChallengesChallengesChallengesChallenges

• Quantify the effect of DoS at the Quantify the effect of DoS at the application levelapplication level

• Expose vulnerabilitiesExpose vulnerabilities

• Find effective DoS-mitigation Find effective DoS-mitigation techniquestechniques– Prove their usefulness using the found Prove their usefulness using the found

metricmetric

• Multicast as an exampleMulticast as an example

• Quantify the effect of DoS at the Quantify the effect of DoS at the application levelapplication level

• Expose vulnerabilitiesExpose vulnerabilities

• Find effective DoS-mitigation Find effective DoS-mitigation techniquestechniques– Prove their usefulness using the found Prove their usefulness using the found

metricmetric

• Multicast as an exampleMulticast as an example


Tree-Based MulticastTree-Based MulticastTree-Based MulticastTree-Based Multicast

• Use a spanning tree – most common Use a spanning tree – most common solutionsolution

• No duplicates (optimal BW when network-No duplicates (optimal BW when network-level)level)

• Single points of failureSingle points of failure

• Use a spanning tree – most common Use a spanning tree – most common solutionsolution

• No duplicates (optimal BW when network-No duplicates (optimal BW when network-level)level)

• Single points of failureSingle points of failure

Source


Gossip-Based MulticastGossip-Based MulticastGossip-Based MulticastGossip-Based Multicast

• Progresses in roundsProgresses in rounds• Every roundEvery round

– Choose random partners (Choose random partners (view view ))– Send or receive messagesSend or receive messages– Discard old msgs from bufferDiscard old msgs from buffer

• Probabilistic reliabilityProbabilistic reliability• Uses redundancy to achieve robustnessUses redundancy to achieve robustness• Two methodsTwo methods

– PushPush– PullPull

• Progresses in roundsProgresses in rounds• Every roundEvery round

– Choose random partners (Choose random partners (view view ))– Send or receive messagesSend or receive messages– Discard old msgs from bufferDiscard old msgs from buffer

• Probabilistic reliabilityProbabilistic reliability• Uses redundancy to achieve robustnessUses redundancy to achieve robustness• Two methodsTwo methods

– PushPush– PullPull


PushPushPushPush

Source


PullPullPullPull

Source


Effects of DoS on GossipEffects of DoS on GossipEffects of DoS on GossipEffects of DoS on Gossip

• Surprisingly, we show that naïve Surprisingly, we show that naïve gossip is vulnerable to DoS attacksgossip is vulnerable to DoS attacks

• Attacking a process in pull-based Attacking a process in pull-based gossip may prevent it from gossip may prevent it from sendingsending messagesmessages

• Attacking a process in push-based Attacking a process in push-based gossip may prevent it from gossip may prevent it from receivingreceiving messagesmessages

• Surprisingly, we show that naïve Surprisingly, we show that naïve gossip is vulnerable to DoS attacksgossip is vulnerable to DoS attacks

• Attacking a process in pull-based Attacking a process in pull-based gossip may prevent it from gossip may prevent it from sendingsending messagesmessages

• Attacking a process in push-based Attacking a process in push-based gossip may prevent it from gossip may prevent it from receivingreceiving messagesmessages


DrumDrumDrumDrum

• A new gossip-based ALM protocolA new gossip-based ALM protocol• Utilizes DoS-mitigation techniquesUtilizes DoS-mitigation techniques

– Using random one-time ports to Using random one-time ports to communicatecommunicate

– Combining both push and pullCombining both push and pull– Separating and bounding resourcesSeparating and bounding resources

• Eliminates vulnerabilities to DoSEliminates vulnerabilities to DoS• Proven robust using formal analysis Proven robust using formal analysis

and quantitative evaluationand quantitative evaluation

• A new gossip-based ALM protocolA new gossip-based ALM protocol• Utilizes DoS-mitigation techniquesUtilizes DoS-mitigation techniques

– Using random one-time ports to Using random one-time ports to communicatecommunicate

– Combining both push and pullCombining both push and pull– Separating and bounding resourcesSeparating and bounding resources

• Eliminates vulnerabilities to DoSEliminates vulnerabilities to DoS• Proven robust using formal analysis Proven robust using formal analysis

and quantitative evaluationand quantitative evaluation


Random PortsRandom PortsRandom PortsRandom Ports

• Any request necessitating a reply Any request necessitating a reply contains a random port numbercontains a random port number– ““Invisible” to the attacker (e.g., Invisible” to the attacker (e.g.,

encrypted)encrypted)

• The reply is sent to that random portThe reply is sent to that random port

• Assumption: Network withstands loadAssumption: Network withstands load

• Any request necessitating a reply Any request necessitating a reply contains a random port numbercontains a random port number– ““Invisible” to the attacker (e.g., Invisible” to the attacker (e.g.,

encrypted)encrypted)

• The reply is sent to that random portThe reply is sent to that random port

• Assumption: Network withstands loadAssumption: Network withstands loadRequest +

random port

number

Request + random

port number

Wait on

random port

Wait on

random port

Wait on well-

known port

Wait on well-

known port


Combining Push and PullCombining Push and PullCombining Push and PullCombining Push and Pull

• Attacking push cannot prevent Attacking push cannot prevent receiving messages via pull (random receiving messages via pull (random ports)ports)

• Attacking pull cannot prevent Attacking pull cannot prevent sending via pushsending via push

• Each process has some control over Each process has some control over the processes it communicates withthe processes it communicates with

• Attacking push cannot prevent Attacking push cannot prevent receiving messages via pull (random receiving messages via pull (random ports)ports)

• Attacking pull cannot prevent Attacking pull cannot prevent sending via pushsending via push

• Each process has some control over Each process has some control over the processes it communicates withthe processes it communicates with


Bounding ResourcesBounding ResourcesBounding ResourcesBounding Resources

• Motivation: prevent resource Motivation: prevent resource exhaustionexhaustion

• Each round process a random subset Each round process a random subset of the arriving messages and discard of the arriving messages and discard the restthe rest

• Separate resources for orthogonal Separate resources for orthogonal operationsoperations

• Motivation: prevent resource Motivation: prevent resource exhaustionexhaustion

• Each round process a random subset Each round process a random subset of the arriving messages and discard of the arriving messages and discard the restthe rest

• Separate resources for orthogonal Separate resources for orthogonal operationsoperations

Valid RequestValid Request

Bogus RequestBogus Request

Round DurationRound Duration


Evaluation: Staged DoS Evaluation: Staged DoS AttacksAttacks

Evaluation: Staged DoS Evaluation: Staged DoS AttacksAttacks

• Increasing strength Increasing strength – shows trend under DoSshows trend under DoS

• Fixed strength Fixed strength – exposes vulnerabilitiesexposes vulnerabilities

• Source is always attackedSource is always attacked

• Analysis, simulations, measurementsAnalysis, simulations, measurements

• Increasing strength Increasing strength – shows trend under DoSshows trend under DoS

• Fixed strength Fixed strength – exposes vulnerabilitiesexposes vulnerabilities

• Source is always attackedSource is always attacked

• Analysis, simulations, measurementsAnalysis, simulations, measurements


Analysis – Increasing Analysis – Increasing StrengthStrength

Analysis – Increasing Analysis – Increasing StrengthStrength

• Assume static group, strict subset is Assume static group, strict subset is attackedattacked

• Lemma 1Lemma 1: : Drum’s propagation time is Drum’s propagation time is bounded from above by a constant bounded from above by a constant independent of the attack rateindependent of the attack rate

• Lemma 2Lemma 2: : The propagation time of Push The propagation time of Push grows at least linearly with the attack rategrows at least linearly with the attack rate

• Lemma 3Lemma 3: : The propagation time of Pull The propagation time of Pull grows at least linearly with the attack rategrows at least linearly with the attack rate

• Assume static group, strict subset is Assume static group, strict subset is attackedattacked

• Lemma 1Lemma 1: : Drum’s propagation time is Drum’s propagation time is bounded from above by a constant bounded from above by a constant independent of the attack rateindependent of the attack rate

• Lemma 2Lemma 2: : The propagation time of Push The propagation time of Push grows at least linearly with the attack rategrows at least linearly with the attack rate

• Lemma 3Lemma 3: : The propagation time of Pull The propagation time of Pull grows at least linearly with the attack rategrows at least linearly with the attack rate


0 20 40 60 80 100 120 1400

5

10

15

20

25

30

Attack Rate

# ro

un

ds

Expected Propagation Time, 10% Attacked

Push, n = 1000Push, n = 120Pull, n = 1000Pull, n = 120Drum, n = 1000Drum, n = 120


0 20 40 60 80 100 120 1400

5

10

15

20

25

30Expected Propagation Time, 10% Attacked (of 1000)

Attack Rate

# ro

un

ds

Drum - Known PortsDrum - Random Ports


0 20 40 60 80 100 120 1400

2

4

6

8

10

12

Attack Rate

# ro

un

ds

Expected Propagation Time, 10% Attacked (of 50)

Drum - Shared BoundsDrum - Separate Bounds


Analysis – Fixed StrengthAnalysis – Fixed StrengthAnalysis – Fixed StrengthAnalysis – Fixed Strength

• Lemma 4Lemma 4: : For strong enough attacks, For strong enough attacks, Drum’s expected propagation time is Drum’s expected propagation time is monotonically increasing as the monotonically increasing as the percentage of attacked processes percentage of attacked processes increasesincreases

• Lemma 4Lemma 4: : For strong enough attacks, For strong enough attacks, Drum’s expected propagation time is Drum’s expected propagation time is monotonically increasing as the monotonically increasing as the percentage of attacked processes percentage of attacked processes increasesincreases


0 10 20 30 40 50 60 70 80 900

10

20

30

40

50

60

70

80

90

100#

rou

nd

s

% attacked processes

Expected Propagation Time, Fixed Strength (c = 10)

Push, n = 120Push, n = 500Pull, n = 120Pull, n = 500Drum, n = 120Drum, n = 500


High-Throughput High-Throughput ExperimentsExperiments

High-Throughput High-Throughput ExperimentsExperiments

• Multithreaded Java implementationMultithreaded Java implementation

• Single source creates 40 msgs/secSingle source creates 40 msgs/sec

• Round duration = 1 secondRound duration = 1 second

• Measure throughput and latency at Measure throughput and latency at the receiving processesthe receiving processes

• Multithreaded Java implementationMultithreaded Java implementation

• Single source creates 40 msgs/secSingle source creates 40 msgs/sec

• Round duration = 1 secondRound duration = 1 second

• Measure throughput and latency at Measure throughput and latency at the receiving processesthe receiving processes


0 20 40 60 80 100 120 1405

10

15

20

25

30

35

40

45

Attack Rate

Ave

rag

e T

hro

ug

hp

ut

(msg

s/se

c)

Average Received Throughput, 10% Attacked

DrumPushPull


1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Average Latency (msecs)

% o

f C

orr

ect

Pro

cess

es

CDF: Average Latency of Received Messages, 40% Attacked, Rate = 128

DrumPushPull


SummarySummarySummarySummary

• Gossip-based protocols are very robust, Gossip-based protocols are very robust, but…but…– naïve gossip-based protocols are vulnerable to naïve gossip-based protocols are vulnerable to

targeted DoS attackstargeted DoS attacks

• Drum uses simple techniques to mitigate Drum uses simple techniques to mitigate the effects of DoS attacksthe effects of DoS attacks

• Evaluations show Drum’s resistance to DoSEvaluations show Drum’s resistance to DoS

• The most effective attack against Drum is The most effective attack against Drum is a broad onea broad one

• Gossip-based protocols are very robust, Gossip-based protocols are very robust, but…but…– naïve gossip-based protocols are vulnerable to naïve gossip-based protocols are vulnerable to

targeted DoS attackstargeted DoS attacks

• Drum uses simple techniques to mitigate Drum uses simple techniques to mitigate the effects of DoS attacksthe effects of DoS attacks

• Evaluations show Drum’s resistance to DoSEvaluations show Drum’s resistance to DoS

• The most effective attack against Drum is The most effective attack against Drum is a broad onea broad one


General PrinciplesGeneral PrinciplesGeneral PrinciplesGeneral Principles

• DoS-mitigation techniques: DoS-mitigation techniques: – random portsrandom ports– neighbor-selection by local choicesneighbor-selection by local choices– separate resource boundsseparate resource bounds

• Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities – The most effective attack is a broad oneThe most effective attack is a broad one

• Analysis and quantitative evaluation Analysis and quantitative evaluation of impact of DoSof impact of DoS

• DoS-mitigation techniques: DoS-mitigation techniques: – random portsrandom ports– neighbor-selection by local choicesneighbor-selection by local choices– separate resource boundsseparate resource bounds

• Design goal: eliminate vulnerabilities Design goal: eliminate vulnerabilities – The most effective attack is a broad oneThe most effective attack is a broad one

• Analysis and quantitative evaluation Analysis and quantitative evaluation of impact of DoSof impact of DoS

faculty of electrical engineering, technion dsn 2004 gal badishi exposing and eliminating...

Documents

application problems

treebased multicast

example multicast

effect of dos

simulations analysis

common solution

metric multicast

spanning tree